[Cipher13]

Yeah. I'm infected. Cool. Funnily enough, it was just yesterday I was telling someone "how often does antivirus software help? Although, for the one time it may...".
But anyway.
I cannot find a decent source for information on Sevendust.
I'll update this later with everything I tried to kill it and everything I worked out about it - but I need a description of it.
What it does.
Its on my comp as we speak.
Heres how it happened: Yester, I shut down, and TechTool tells me I 'may have a virus'. Wow. Shut down anyway, and forget about it.
Next day, scan the HD, and tell it to fix any files.
It tells me it does.
A friend just today asks me 'what should I trim form my System Folder?'.
I get him to copy a list of all the items in the Extensions folder, and send it to me.
He does.
One of the first items I see "*666" (with * actually being the square). I tell him he has a virus. I get him to send me a copy (I collect them).
I then check my System Folder, and I have it too. Cool!
Anyway, I wanna kill it. I try deleting conventionally - it comes back. I check for suspiscious background processes - can't find any. I run Macsbug and see whats running - fine a strange item in memory. So, I know how to view memory in Macsbug - how do I clear a memory location?
Anyway, I try trashing then restarting before it reappears. I have noticed lags starting up and shutting down. This may be when it checks for itself and recreates itself if its copy on disk is missing.
So, I delete, empty trash, and hit the reset button, before anything can happen.
I thought that got it. It wasn't in my extensions folder. Then theres the startup lag, and it re-appears.
So I downloaded Agax. I think sevendust is the virus that screws with it, cause it launches, there is the same lag, and says it "may be infected, contact whoever" basically.
So anyway...
How do I kill it? I've been playing around for 1/2 hr and just wanna get it now.
What has it done to me?
Where is there a decent Mac Virus encyclopaedia?
And so on...
TIA

EDIT: I think I just got it. Opened it in ResEdit (doesn't tell me its busy ), and stripped the code from its 'INIT' resource. Bingo. Hasn't tried to repair itself, and I will be able to tell next restart. But thats an unconventional way to do it... and is only temporary. How do I kill it??

EDIT 2: Upon restarting (and noticing the lag before any startup items executed and even before the menubar items appeared), it has come back in its full form. This means one of two things - it has a companion file, or it repaired its hard copy while in memory. I'm gonna strip it again, then just reset. That may rule out the memory option.

EDIT 3: Hmm... Lag at startup still there. And file back in full. What is its companion file? If there is one.

EDIT 4: The memory location I mentioned earlier - I just checked my memory. It is still there (the suspect heap, not in the same location - der). I compared it to a heap check I just did - the two memory blocks are very similar. Of course, if I compared any 2 heaps I imagine they would be. However, this heap has no name. If you know what I mean.

EDIT 5: 'nother idea just occured to me, so I opened up the extensoin (*666) in ResEdit and locked it down - not just the Finder lock.
Lets see if it fixes itself now...

Edit 6: I think I just kicked this things ass... after locking it up and restarting, it weighs in at 320 bytes (what it was after editing it), instead of its usual 1,891 bytes.
Cool. Damage has prob already been done though. What'd it do to me???

EDIT 7: How ironic - I just realised I have 666.5 megs of HD space left on my OS 9 partition - not caused by the (hopefully neutralised) virus. Its legit.

Cipher13

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[This message has been edited by Cipher13 (edited 09-29-2000).]

[wlonh]

Making the rounds on the internet is an Applescript titled MacOS Downloader. Don't kid yourself, it's the "666" SevenDust C Virus. And because the MacOS X uses invisible partitions, even if someone wanted to you couldn't make an image available for download.

Cipher-

I had a 666 infection a while back, here's how it works and how to fix it:

Sevendust is a "polymorphic" virus, (it is also the only one of this type on the macos) meaning it replicates by itself by installing into other apps. If you look at your apps in resedit there will probally be a strange new "INIT" " resosource- this is sevendust. Whenever a program starts up sevendust installs into the program from the system folder. If an infected program notices sevendust isn't there, it installs into the system folder- you see the problem here (note that a program can only be infected/install sevendust when it starts up, i think).

You're on the right track to getting rid of sevendust! Open it in resedit- kill the init resource and lock it down in resedit. This will effectively stop the spread of sevendust- but it won't get rid of it from your infected apps. To get rid of all of sevendust, get Virex. It worked for me and did a great job. You can safely delete the extention after it repairs the apps. NOTE: DO NOT RUN VIREX BEFORE YOU REMOVE THE INIT AND LOCK DOWN THE EXTENTION! Virex will become infected and won't let itself run (a neat feature that renders it useless).

Good Luck!

P.S.- Here's a peice of info from Virex's virus def file, it might help you learn where it came from.


666 or SevenDust

The author seems to have a preoccupation with the number 666.

One variant of this family is the ‘Graphics Accelerator’ virus. This was first posted on the Info-Mac archives in the summer of 1998 as a file entitled ‘Graphics Accelerator’. The file description read:

“Enclosed you will find my custom Graphics Accelerator that helps PPC macs speed graphics programs up that use 68k code. It uses a custom blitting subroutine, and it should work on PPC apps as well. Please include it in your Graphics/Utilities directory. Thank you very much.”

An infected machine will erase all non-application files, if started during the 6th hour of the 6th or 12th day of any month. Damage also includes overwriting an application’s menu resource with the f character (Hex 66). Infected applications will also generate the "Graphics Accelerator" extension if it is not present.


Variant F appeared in early 1999. Occasionally, this variant will also display a small window bearing the text ‘666’and and, as well as deleting files as described above, randomly overwrites either a menu resource or a window resource of an application and will produce extension files with any of the following names:-

“ADSP Tool”
“AppleTalk Library”
“CD-ROM Driver”
“Ethernet Ports”
“Graphics Accelerator”
“Internet Config”
“Internet Library”
“ISO 9661 File Access”
“MacLinkPlus”
“Monitors Plug-In”
“Open Transport”
“Photo Access™”
“Power Enabler”
“PPP.Lib”
“Serial Port”
“TCP/IP Lib”
“Text Encodings”
“Video Picker”
“VideoSync™”
“XModem Lib”